covering yourpaas
TRANSCRIPT
PREPARED BY:
Covering Your PaaS : Securing Azure Platform As A Service Offerings
Mark Greenway
Jan 9th 2014
@MarkKGreenway
MarkGreenway.NET
1 THE INTROOverview
2 WEBSITESSecuring The Sites Themselves
3 BLOB STORAGEAzure Storage
4 SQL AZUREMicrosoft’s SQL As A Service Offering
5 SERVICE BUSQueues
6 DOCUMENT DBNOSQL with SQL Querying
1 THE INTROOverview
2 WEBSITESSecuring The Sites Themselves
3 BLOB STORAGEAzure Storage
4 SQL AZUREMicrosoft’s SQL As A Service Offering
5 SERVICE BUSQueues
6 DOCUMENT DBNOSQL with SQL Querying
THIS IS NOT AN EXHAUSTIVE LIST
It’s just some things to think about
– Most of this is a product of thought
4Insert your footer here if needed.
DON’T BE LIKE MEUse Azure Active Directory!
1 THE INTROOverview
2 WEBSITESSecuring The Sites Themselves
3 BLOB STORAGEAzure Storage
4 SQL AZUREMicrosoft’s SQL As A Service Offering
5 SERVICE BUSQueues
6 DOCUMENT DBNOSQL with SQL Querying
“First remember to secure your
site first, before assisting others
in securing their site.”
– Mark Greenway
HOW TO SEE IF YOUR SITE IS SECURE
8
The Zed Attack Proxy (ZAP)
is an easy to use integrated
penetration testing tool for
finding vulnerabilities in web
applications.
SQLiX, coded in Perl, is a
SQL Injection scanner, able
to crawl, detect SQL injection
vectors, identify the back-
end database…
OWASP ZED ATTACK
PROXY PROJECTOWASP SQLiX
PROJECT
1 2
Resources, and whitepapers
on what parts of your page
you need to focus on, what’s
handled for you.
MICROSOFT TRUST
CENTER
3
TURN OFF WHAT YOU DON’T NEED
9
THINK ABOUT DIAGNOSTICS
10
USE SSL.
Takes less than 20 minutes
– http://tech.pro/tutorial/1598/installing-a-ssl-
certificate-from-dnsimple-on-windows-azure
– That’s just DNSimple there’s others.
Don’t worry about :
– Heartbleed
– SSLv3 etc.
11Covering Your PaaS
1 THE INTROOverview
2 WEBSITESSecuring The Sites Themselves
3 BLOB STORAGEAzure Storage
4 SQL AZUREMicrosoft’s SQL As A Service Offering
5 SERVICE BUSQueues
6 DOCUMENT DBNOSQL with SQL Querying
MANAGE YOUR ACCESS KEYS
13
For administration purposes
only. Used by the admins
and changed frequently.
This is for use by your
websites and webjobs. All
the production services in
your solutions.
ADMIN KEY SERVICES KEY
DON’T MIX PUBLIC AND PRIVATE
BLOBS
14
GIVING PEOPLE ACCESS
15
Self destructing access to a
blob. Set time limits and
individual access.
Give access through your
site, to stream the blob
through the webserver.
Give everyone full read
access to the blob.
SHARED ACCESS
SIGNATURES CODE PROXY PUBLIC
VS. VS.
1 THE INTROOverview
2 WEBSITESSecuring The Sites Themselves
3 BLOB STORAGEAzure Storage
4 SQL AZUREMicrosoft’s SQL As A Service Offering
5 SERVICE BUSQueues
6 DOCUMENT DBNOSQL with SQL Querying
CONNECTION STRINGSThe first part for security is connecting to the
database the right way.
USE SSL
18First rule of security : AUS --- Always Use SSL
Encrypt=True
DON’T TRUST ANYONE
19Second rule of security : DTAE – DON’T TRUST ANYONE EVER
Trusted_Connection=False
USE THE SECURE URI
20
Server=rxkxl9gm1p.database.secure.windows.net,1433
USE THE SECURE URI
21
USE THE SECURE URI
22
<m:properties><d:PartitionKey>defaultgroup*rgm1xkxl9p.database.windows.net*compasssql*0</d:PartitionKey><d:RowKey>2519815506106352638*8886d2a7-b16a-4dfc-8be7-04000d5d93fa</d:RowKey><d:Timestamp m:type="Edm.DateTime">2015-01-08T20:49:48.7465279Z</d:Timestamp><d:EventTime m:type="Edm.DateTime">2015-01-08T20:49:49.3647361Z</d:EventTime><d:ServerName>rgm1xkxl9p.database.windows.net</d:ServerName><d:DatabaseName>compasssql</d:DatabaseName><d:ApplicationName>Microsoft SQL Server Management Studio - Query</d:ApplicationName><d:ClientIP>75.98.233.131</d:ClientIP><d:EventId m:type="Edm.Guid">b1ff7b7e-5d43-441e-92ee-2fede3ce67bc</d:EventId><d:EventType>DataAccess</d:EventType><d:ActionStatus>Success</d:ActionStatus><d:FailureReason></d:FailureReason><d:FailureSeverity></d:FailureSeverity><d:Statement>SELECT * from tbl_Loss where lok_client = 126149</d:Statement><d:PrincipalName>wssa</d:PrincipalName><d:AffectedRows m:type="Edm.Int64">107</d:AffectedRows><d:ResponseRows m:type="Edm.Int64">107</d:ResponseRows><d:ServerDuration>00:00:00</d:ServerDuration><d:ConnectionGuid>ee68edc8-025b-4878-831f-bb2360df0eb9</d:ConnectionGuid><d:SchemaVersion>1.1.0.0</d:SchemaVersion><d:Origin>TDS</d:Origin><d:FragmentIndex m:type="Edm.Int64">1</d:FragmentIndex>
</m:properties>
SET THE SERVER ACL
SET THE DATABASE ACL
SERVER AND DATABASE ACL
25
SERVERACL
DB ACL
1 THE INTROOverview
2 WEBSITESSecuring The Sites Themselves
3 BLOB STORAGEAzure Storage
4 SQL AZUREMicrosoft’s SQL As A Service Offering
5 SERVICE BUSQueues
6 DOCUMENT DBNOSQL with SQL Querying
DIFFERENT KEYS
1 THE INTROOverview
2 WEBSITESSecuring The Sites Themselves
3 BLOB STORAGEAzure Storage
4 SQL AZUREMicrosoft’s SQL As A Service Offering
5 SERVICE BUSQueues
6 DOCUMENT DBNOSQL with SQL Querying
MANAGE YOUR KEYS RIGHT
THANK YOU!@MarkKGreenway
MarkGreenway.net
https://www.slideshare.net/MarkKGreenway/covering-yourpaas